Spring Security Web: 기본 웹 보안 표현 식 핸들 러 결 성 웹 보안 표현 식 프로세서

개술DefaultWebSecurityExpressionHandlerSpring Security Web 보안 표현 식 프로세서 Web 에 사 용 됩 니 다.이것 은 결 성 된 설정 과 그 당시 환경 을 바탕 으로 지정 한 handler 안전 표현 식 에 대해 값 을 구 할 것 입 니 다.Web 주어진 DefaultWebSecurityExpressionHandler 과 요청 컨 텍스트 token 에 대해 평가 컨 텍스트 FilterInvocation 를 만 듭 니 다.그리고 EvaluationContext 값 을 구 해서 사용 하도록 제공 합 니 다.예 를 들 어 SPEL 에서 이렇게 응용 되 었 다.
public class WebExpressionVoter implements AccessDecisionVoter<FilterInvocation> {
	// expressionHandler      DefaultWebSecurityExpressionHandler
	private SecurityExpressionHandler<FilterInvocation> expressionHandler = 
		new DefaultWebSecurityExpressionHandler();

	public int vote(Authentication authentication, FilterInvocation fi,
			Collection<ConfigAttribute> attributes) {
		assert authentication != null;
		assert fi != null;
		assert attributes != null;

		//   Web         
		WebExpressionConfigAttribute weca = findConfigAttribute(attributes);

		if (weca == null) {
			//         ,   ACCESS_ABSTAIN:0     
			return ACCESS_ABSTAIN;
		}
		//      DefaultWebSecurityExpressionHandler    EvaluationContext
		EvaluationContext ctx = expressionHandler.createEvaluationContext(authentication,
				fi);
		ctx = weca.postProcess(ctx, fi);

		//   Web         weca     ,               ctx,
		//       ,    boolean     
		//         true,    ACCESS_GRANTED:1,      ACCESS_DENIED:-1
		return ExpressionUtils.evaluateAsBoolean(weca.getAuthorizeExpression(), ctx) ? ACCESS_GRANTED
				: ACCESS_DENIED;
	}


소스 코드 분석
소스 버 전: 5.1.2. RELEASE
package org.springframework.security.web.access.expression;

import org.springframework.security.access.expression.AbstractSecurityExpressionHandler;
import org.springframework.security.access.expression.SecurityExpressionHandler;
import org.springframework.security.access.expression.SecurityExpressionOperations;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.FilterInvocation;
import org.springframework.util.Assert;


public class DefaultWebSecurityExpressionHandler extends
		AbstractSecurityExpressionHandler<FilterInvocation> implements
		SecurityExpressionHandler<FilterInvocation> {

	//       Authentication     anonymous, rememberMe
	//     AuthenticationTrustResolverImpl
	private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();

	//          
	private String defaultRolePrefix = "ROLE_";

	//       token authentication           fi    SecurityExpressionOperations,
	//   SecurityExpressionOperations         EvaluationContext   
	@Override
	protected SecurityExpressionOperations createSecurityExpressionRoot(
			Authentication authentication, FilterInvocation fi) {	
		WebSecurityExpressionRoot root = new WebSecurityExpressionRoot(authentication, fi);
		root.setPermissionEvaluator(getPermissionEvaluator());
		root.setTrustResolver(trustResolver);
		root.setRoleHierarchy(getRoleHierarchy());
		root.setDefaultRolePrefix(this.defaultRolePrefix);
		return root;
	}

	/**
	 * Sets the  AuthenticationTrustResolver to be used. The default is
	 * AuthenticationTrustResolverImpl.
	 *
	 * @param trustResolver the AuthenticationTrustResolver to use. Cannot be
	 * null.
	 */
	public void setTrustResolver(AuthenticationTrustResolver trustResolver) {
		Assert.notNull(trustResolver, "trustResolver cannot be null");
		this.trustResolver = trustResolver;
	}

	/**
	 * 
	 * Sets the default prefix to be added to 
	 * org.springframework.security.access.expression.SecurityExpressionRoot#hasAnyRole(String...) 
	 * or org.springframework.security.access.expression.SecurityExpressionRoot#hasRole(String). 
	 * For example, if hasRole("ADMIN") or hasRole("ROLE_ADMIN")
	 * is passed in, then the role ROLE_ADMIN will be used when the defaultRolePrefix is
	 * "ROLE_" (default).
	 * 
	 *      hasAnyRole(String...)  hasRole(String)       。      ,      
	 * "ROLE_"。
	 * 
	 * If null or empty, then no default role prefix is used.
	 *         ,      null    "",          。
	 *
	 * @param defaultRolePrefix the default prefix to add to roles. Default "ROLE_".
	 */
	public void setDefaultRolePrefix(String defaultRolePrefix) {
		this.defaultRolePrefix = defaultRolePrefix;
	}
}

WebExpressionVoter 계승 DefaultWebSecurityExpressionHandler, 진정 으로 AbstractSecurityExpressionHandler 을 만 드 는 방법 도 현재 이 종류 에서:
package org.springframework.security.access.expression;

import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.context.expression.BeanFactoryResolver;
import org.springframework.expression.BeanResolver;
import org.springframework.expression.EvaluationContext;
import org.springframework.expression.ExpressionParser;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.StandardEvaluationContext;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.core.Authentication;
import org.springframework.util.Assert;

/**
 * Base implementation of the facade which isolates Spring Security's requirements for
 * evaluating security expressions from the implementation of the underlying expression
 * objects.
 * Spring Security                ,              ,  Web  ,    。
 * 
 * @author Luke Taylor
 * @since 3.1
 */
public abstract class AbstractSecurityExpressionHandler<T> implements
		SecurityExpressionHandler<T>, ApplicationContextAware {
	//      spel parser	
	private ExpressionParser expressionParser = new SpelExpressionParser();
	private BeanResolver br;
	private RoleHierarchy roleHierarchy;
	//      denyAll    
	private PermissionEvaluator permissionEvaluator = new DenyAllPermissionEvaluator();

	public final ExpressionParser getExpressionParser() {
		return expressionParser;
	}

	public final void setExpressionParser(ExpressionParser expressionParser) {
		Assert.notNull(expressionParser, "expressionParser cannot be null");
		this.expressionParser = expressionParser;
	}

	/**
	 * Invokes the internal template methods to create  StandardEvaluationContext
	 * and SecurityExpressionRoot objects.
	 *
	 * @param authentication the current authentication object
	 * @param invocation the invocation (filter, method, channel)
	 * @return the context object for use in evaluating the expression, populated with a
	 * suitable root object.
	 */
	public final EvaluationContext createEvaluationContext(Authentication authentication,
			T invocation) {
		// createEvaluationContext          ,                 
		// SecurityExpressionOperations   
		SecurityExpressionOperations root = createSecurityExpressionRoot(authentication,
				invocation);
		//   	EvaluationContext,           	StandardEvaluationContext
		StandardEvaluationContext ctx = createEvaluationContextInternal(authentication,
				invocation);
		//            bean,    bean   ,      Spring bean  		
		ctx.setBeanResolver(br);
		//    EvaluationContext            SecurityExpressionOperations root
		ctx.setRootObject(root);

		return ctx;
	}

	/**
	 * Override to create a custom instance of StandardEvaluationContext.
	 *   StandardEvaluationContext     ,
	 *      StandardEvaluationContext ,                  
	 * StandardEvaluationContext    
	 * 
	 * The returned object will have a SecurityExpressionRootPropertyAccessor
	 * added, allowing beans in the ApplicationContext to be accessed via
	 * expression properties.
	 *
	 * @param authentication the current authentication object
	 * @param invocation the invocation (filter, method, channel)
	 * @return A StandardEvaluationContext or potentially a custom subclass if
	 * overridden.
	 */
	protected StandardEvaluationContext createEvaluationContextInternal(
			Authentication authentication, T invocation) {
		return new StandardEvaluationContext();
	}

	/**
	 * Implement in order to create a root object of the correct type for the supported
	 * invocation type.
	 *
	 * @param authentication the current authentication object
	 * @param invocation the invocation (filter, method, channel)
	 * @return the object wh
	 */
	protected abstract SecurityExpressionOperations createSecurityExpressionRoot(
			Authentication authentication, T invocation);

	protected RoleHierarchy getRoleHierarchy() {
		return roleHierarchy;
	}

	public void setRoleHierarchy(RoleHierarchy roleHierarchy) {
		this.roleHierarchy = roleHierarchy;
	}

	protected PermissionEvaluator getPermissionEvaluator() {
		return permissionEvaluator;
	}

	public void setPermissionEvaluator(PermissionEvaluator permissionEvaluator) {
		this.permissionEvaluator = permissionEvaluator;
	}

	public void setApplicationContext(ApplicationContext applicationContext) {
		br = new BeanFactoryResolver(applicationContext);
	}
}

좋은 웹페이지 즐겨찾기